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Abstract 

This work addresses the problem of ensuring trustworthy computation in a linear consensus network. A solution 
,__! to this problem is relevant for several tasks in multi-agent systems including motion coordination, clock synchro- 

nization, and cooperative estimation. In a linear consensus network, we allow for the presence of misbehaving 
agents, whose behavior deviate from the nominal consensus evolution. We model misbehaviors as unknown and 
unmeasurable inputs affecting the network, and we cast the misbehavior detection and identification problem into an 
unknown-input system theoretic framework. We consider two extreme cases of misbehaving agents, namely faulty 
(non-colluding) and malicious (Byzantine) agents. First, we characterize the set of inputs that allow misbehaving 
agents to affect the consensus network while remaining undetected and/or unidentified from certain observing 
\Q agents. Second, we provide worst-case bounds for the number of concurrent faulty or malicious agents that can 

be detected and identified. Precisely, the consensus network needs to be 2k + 1 (resp. k + 1) connected for k 
malicious (resp. faulty) agents to be generically detectable and identifiable by every well behaving agent. Third, 
we quantify the effect of undetectable inputs on the final consensus value. Fourth, we design three algorithms to 
detect and identify misbehaving agents. The first and the second algorithm apply fault detection techniques, and 
affords complete detection and identification if global knowledge of the network is available to each agent, at a high 
r£^ computational cost. The third algorithm is designed to exploit the presence in the network of weakly interconnected 

subparts, and provides local detection and identification of misbehaving agents whose behavior deviates more than 
a threshold, which is quantified in terms of the interconnection structure. 

I. Introduction 
> 

Distributed systems and networks have received much attention in the last years because of their flexi- 
bility and computational performance. One of the most frequent tasks to be accomplished by autonomous 
(SI agents is to agree upon some parameters. Agreement variables represent quantities of interest such as the 
^ work load in a network of parallel computers, the clock speed for wireless sensor networks, the velocity, 
the rendezvous point, or the formation pattern for a team of autonomous vehicles; e.g., see [Q]|, [|2L 0. 
Several algorithms achieving consensus have been proposed and studied in the computer science 
community [|4]|. In this work, we consider linear consensus iterations, where, at each time instant, each 
node updates its state as a weighted combination of its own value and those received from its neighbors 
rN B21, & The choice of algorithm weights influences the convergence speed toward the steady state value 

Because of the lack of a centralized entity that monitors the activity of the nodes of the network, 
distributed systems are prone to attacks and components failure, and it is of increasing importance to 
guarantee trustworthy computation even in the presence of misbehaving parts [8]. Misbehaving agents 
can interfere with the nominal functions of the network in different ways. In this paper, we consider two 
extreme cases: that the deviations from their nominal behavior are due to genuine, random faults in the 
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agents; or that agents can instead craft messages with the purpose of disrupting the network functions. 
In the first scenario, faulty agents are unaware of the structure and state of the network and ignore the 
presence of other faults. In the second scenario, the worst-case assumption is made that misbehaving 
agents have knowledge of the structure and state of the network, and may collude with others to produce 
the biggest damage. We refer to the first case as non-colluding, or faulty; to the second case as malicious, 
or Byzantine. 

Reaching unanimity in an unreliable system is an important problem, well studied by computer scientists 
interested in distributed computing. A first characterization of the resilience of distributed systems to 
malicious attacks appears in [9], where the authors consider the task of agreeing upon a binary message 
sent by a "Byzantine general," when the communication graph is complete. In ifTOll the resilience of a 
partially connected^ network seeking consensus is analyzed, and it is shown that the well-behaving agents 
of a network can always agree upon a parameter if and only if the number of malicious agents 

(i) is less than 1/2 of the network connectivity, and 
(ii) is less than 1/3 of the number of processors. 
This result has to be regarded as a fundamental limitation of the ability of a distributed consensus system to 
sustain arbitrary malfunctioning: the presence of misbehaving Byzantine processors can be tolerated only 
if their number satisfies the above threshold, independently of whatever consensus protocol is adopted. 

We consider linear consensus algorithms in which every agent, including the misbehaving ones, are 
assumed to send the same information to all their neighbors. This assumption appears to be realistic 
for most control scenarios. In a sensing network for instance, the data used in the consensus protocol 
consist of the measurements taken directly by the agents, and (noiseless) measurements regarding the same 
quantity coincide. Also, in a broadcast network, the information is transmitted using broadcast messages, 
so that the content of a message is the same for all the receiving nodes. The problem of characterizing the 
resilience properties of linear consensus strategies has been partially addressed in recent works [fTTTl . lfT2l . 
[fT3ll . where, for the malicious case, it is shown that, despite the limited abilities of the misbehaving agents, 
the resilience to external attacks is still limited by the connectivity of the network. In [11] the problem 
of detecting and identifying misbehaving agents in a linear consensus network is first introduced, and a 
solution is proposed for the single faulty agent case. In |[T2ll . lfT3ll . the authors provide one policy that 
k malicious agents can follow to prevent some of the nodes of a 2A;-connected network from computing 
the desired function of the initial state, or, equivalently, from reaching an agreement. On the contrary, if 
the connectivity is 2k + 1 or more, then the authors show that generically the set of misbehaving nodes 
is identified independent of its behavior, so that the desired consensus is eventually reached. 

The main differences between this paper and the references lfT2l . [fT3l are as follows. First, the method 
proposed in [fT2ll . [fT3l takes inspiration from parity space methods for fault detection, while, following our 
early work [fTT]|. we adopt here unknown-input observers techniques [14J. Second, we focus on consensus 
networks, and we derive specific results for this important case that cannot be assessed for general linear 
iterations. Third, we consider two different types of misbehaving agents, namely malicious and faulty 
agents, and we provide network resilience bounds for both cases. Fourth, we exhaustively characterize 
the complete set of policies that make a set of k agents undetectable and/or unidentifiable, as opposed to 
[fT2| where only a particular disrupting strategy is defined. Fifth, we study system theoretic properties of 
consensus systems (e.g., detectability, stabilizability, left-invertibility), and we quantify the effect of some 
misbehaving inputs on the network performance. Finally, we address the problem of detection complexity 
and we propose a computationally efficient detection method, as opposed to combinatorial procedures. 
Our approach also differs from the existing computer science literature, e.g., our analysis leads to the 
development of algorithms that can be easily extended to work on both discrete and continuous time 
linear consensus networks, and also with partial knowledge of the network topology. 

The main contributions of this work are as follows. By recasting the problem of linear consensus 
computation in an unreliable system into a system theoretic framework, we provide alternative and 

'The connectivity of a graph is the maximum number of disjoint paths between any two vertices of the graph. A graph is complete if it 
has connectivity n — 1, where n is the number of vertices in the graph. 



constructive system-theoretic proofs of existing bounds on the number of identifiable misbehaving agents 
in a linear network, i.e., k Byzantine agents can be detected and identified if the network is (2k + 1)- 
connected, and they cannot be identified if the network is 2 A; -connected or less. Moreover, by showing 
some connections between linear consensus networks and linear dynamical systems, we exhaustively 
describe the strategies that misbehaving nodes can follow to disrupt a linear network that is not sufficiently 
connected. In particular, we prove that the inputs that allow the misbehaving agents to remain undetected 
or unidentified coincide with the inputs-zero of a linear system associated with the consensus network. We 
provide a novel and comprehensive analysis on the detection and identification of non-colluding agents. 
We show that k faulty agents can be identified if the network is (k + 1) -connected, and cannot if the 
network is /c-connected or less. For both the cases of Byzantine and non-colluding agents, we prove 
that the proposed bounds are generic with respect to the network communication weights, i.e., given an 
(unweighted) consensus graph, the bounds hold for almost all (consensus) choices of the communication 
weights. In other words, if we are given a (k + reconnected consensus network for which k faulty agents 
cannot be identified, then a random and arbitrary small change of the communication weights (within the 
space of consensus weights) make the misbehaving agents identifiable with probability one. In the last 
part of the paper, we discuss the problem of detecting and identifying misbehaving agents when either 
the partial knowledge of the network or hardware limitations make it impossible to implement an exact 
identification procedure. We introduce a notion of network decentralization in terms of relatively weakly 
connected subnetworks. We derive a sufficient condition on the consensus matrix that allows to identify a 
certain class of misbehaving agents under local network model information. Finally, we describe a local 
algorithm to promptly detect and identify corrupted components. 

The rest of the paper is organized as follows. Section |TT] briefly recalls some basic facts on the geometric 



approach to the study of linear systems, and on the fault detection and isolation problem. In Section III 



we model linear consensus networks with misbehaving agents. Section IV presents the conditions under 
which the misbehaving agents are detectable and identifiable. In Secti on |Vj we characterize the effect 
of an unidentifiable attack on the network consensus state. In Section IVII we show that the resilience 
of linear consensus networks to failures and external attacks is a generic property with respect to the 



consensus weights. In Section VII we present our algorithmic procedures. Precisely we derive an exact 



identification algorithm, and an approximate and low-complexity procedure. Finally, Sections VIII and IX 
contain respectively our numerical studies and our conclusion. 

II. Notation and preliminary concepts 

We adopt the same notation as in [15]. Let n,m,p G N, let A G R nxn , B G W nxm , and C G W xn . Let 
the triple (A, B, C) denote the linear discrete time system 

x(t + l) = Ax(t) + Bu(t), 

y(t) = Cx(t), (1) 

and let the subspaces B C W axn and C C W ixn denote the image space lra(B) and the null space Ker(C), 
respectively. A subspace V C W ixn is a (A, B) -controlled invariant if AV C V + B, while a subspace 
S C W lXn is a (A, C) -conditioned invariant if A(SDC) C S. The set of all controlled invariants contained 
in C admits a supremum, which we denote with V*, and which corresponds to the locus of all possible 
state trajectories of Q invisible at the output. On the other hand, the set of the conditioned invariants 
containing B admits an infimum, which we denote with S*. Several problems, including disturbance 
decoupling, non interacting control, fault detection and isolation, and state estimation in the presence of 
unknown inputs have been addressed and solved in a geometric framework [fT5l . [fl6ll . 

In the classical Fault Detection and Isolation (FDI) setup, the presence of sensor failures and actuator 
malfunctions is modeled by adding some unknown and unmeasurable functions Ui(t) to the nominal 
system. The FDI problem is to design, for each failure i, a filter of the form 

w i (t + l) = F i w i (t) + E i y(t), 

r l (t) = M i w(t) + H i y(t), 



also known as residual generator, that takes the observables y(t) and generates a residual vector rj(t) 
that allows to uniquely identify if Ui(t) becomes nonzero, i.e., if the failure i occurred in the system. 
Let Bi, . . . , B m be the input matrices of the failure functions Ui,...,u m . As a result of lT5l . [fTTl . the 
i-th failure can be correctly identified if and only if £>j fl (V«m + «SjU r-i) = 0> where V«w and 
^K\{i\ are me maximal controlled and minimal conditioned invariant subspaces associated with the triple 
(A, [B\ ■ ■ • Sj_i B i+ i ■ ■ ■ B m ], C). It can be shown that, under the above solvability condition, the filter 
(|2]) can be designed as a dead beat device to have finite convergence time [fTTl : this property will be used 



in Section VII for the characterization of our intrusion detection algorithm. We remark that, although the 
FDI problem does not coincide with the problem we are going to face, we will be using some standard 
FDI techniques to design our detection and identification algorithms, and we refer the reader to lfl4l for 
a comprehensive treatment of the subject. 

III. Linear consensus in the presence of misbehaving agents 

Let G denote a directed graph with vertex set V = {1, . . . ,n} and edge set E C V x V, and recall 
that the connectivity of G is the maximum number of disjoint paths between any two vertices of the 
graph, or, equivalently, the minimum number of vertices in a vertex cutset lfT8l . The neighbor set of a 
node i E V, i.e., all the nodes j E V such that the pair (j, i) E E, is denoted with AT*. We let each vertex 
j E V denote an autonomous agent, and we associate a real number Xj with each agent j. Let the vector 
x6K" contain the values Xj. A linear iteration over G is an update rule for x and is described by the 
linear discrete time system 

x(t+l)= Ax(t), (3) 

where the (i, j)-th entry of A is nonzero only if (j, i) E E. If the matrix A is row stochastic and primitive, 
then, independent of the initial values of the nodes, the network asymptotically converges to a configuration 
in which the state of the agents coincides. In the latter case, the matrix A is referred to as a consensus 
matrix, and the system (|3]) is called consensus system. The graph G is referred to as the communication 
graph associated with the consensus system ([3]) or, equivalently, with the consensus matrix A. A detailed 
treatment of the applications, and the convergence aspects of the consensus algorithm is in 0], [0, (3J, 
and in the references therein. 

We allow for some agents to update their state differently than specified by the matrix A by adding an 
exogenous input to the consensus system. Let Ui(t), i E V, be the input associated with the z'-th agent, 
and let u(t) be the vector of the functions Ui{t). The consensus system becomes x(t + 1) = Ax(t) + u(t). 

Definition 1 (Misbehaving agent) An agent j is misbehaving if there exists a time t E N such that 



In Section IV we will give a precise definition of the distinction, made already in the Introduction, between 
faulty and malicious agents on the basis of their inputs. 

Let K = {zi, i 2 , . . . } C V denote a set of misbehaving agents, and let B K = \e ix e i2 ■ ■ ■], where e { is 
the i-th vector of the canonical basis. The consensus system with misbehaving agents K reads as 

x{t + 1) = Ax{t) + B K u K {t). (4) 

As it is shown in [fTlll . algorithms of the form have no resilience to malfunctions, and the presence of 
a misbehaving agent may prevent the entire network from reaching consensus. As an example, let cGi, 
and let Ui(t) = —Aix(t) + c, being A.- L the i-th. row of A. After reordering the variables in a way that the 
well-behaving nodes come first, the consensus system can be rewritten as 

x(t+l)= [^ f\x(t), (5) 



where the matrix Q corresponds to the interaction among the nodes V\{i}, while R denotes the connection 
between the sets V \ {i} and {i}. Recall that a matrix is said to be Schur stable if all its eigenvalues he 
in the open unit disk. 

Lemma III.l (Quasi-stochastic submatrices) Let A be an nxn consensus matrix, and let J be a proper 
subset of {1, ... , n}. The submatrix with entries A^ k , i,k 6 J, is Schur stable. 

Proof: Reorder the nodes such that the indexes in J come first in the matrix A. Let A j be the leading 
principal submatrix of dimension \J\. Let Aj = [ A q q], where the zeros are such that Aj is n x n, and 
note that p(Aj) = p(Aj), where p(Aj) denotes the spectral radius of the matrix Aj |[T9l . Since A is a 
consensus matrix, it has only one eigenvalue of unitary modulus, and p(A) = 1. Moreover, A > \Aj\, 
and A ^ \Aj\, where \Aj\ is such that its (i,j)-th entry equals the absolute value of the (i,j)-th entry 
of Aj, Vi,j. It is known that p(Aj) < p(A) = 1, and that if equality holds, then there exists a diagonal 
matrix D with nonzero diagonal entries, such that A = DAjD~ l [fT9l Wielandt's Theorem]. Because A 
is irreducible, there exists no diagonal D with nonzero diagonal entries such that A = DAjD^ 1 and the 
statement follows. ■ 

Because of Lemma |III.ll the matrix Q in ([5]) is Schur stable, so that the steady state value of the 
well-behaving agents in ([5|) depends upon the action of the misbehaving node, and it corresponds to 
(I — Q)~ l Rc. In particular, since (I — Q)~ l R = [1 ■ ■ ■ 1] T , a single misbehaving agent can steer the 
network towards any consensus value by choosing the constant cq 

It should be noticed that a different model for the misbehaving nodes consists in the modification of the 
entries of A corresponding to their incoming communication edges. However, since the resulting network 
evolution can be obtained by properly choosing the input Ujc{t) and letting the matrix A fixed, our model 
does not limit generality, while being convenient for the analysis. For the same reason, system (|4]) also 
models the case of defective communication edges. Indeed, if the edge from the node i to the node j is 
defective, then the message received by the agent j at time t is incorrect, and hence also the state Xj(t), 
i > t. Since the values Xj(i) can be produced with an input Uj(t), the failure of the edge (i,j) can be 
regarded as the j-th misbehaving action. Finally, the following key difference between our model and the 
setup in ifTOll should be noticed. If the communication graph is complete, then up to n — 1 (instead of 
Ln/3J) misbehaving agents can be identified in our model by a well-behaving agent. Indeed, since with 
a complete communication graph the initial state x(0) is correctly received by every node, the consensus 
value is computed after one communication round, so that the misbehaving agents cannot influence the 
dynamics of the network. 

IV. Detection and identification of misbehaving agents 

The problem of ensuring trustworthy computation among the agents of a network can be divided into 
a detection phase, in which the presence of misbehaving agents is revealed, and an identification phase, 
in which the identity of the intruders is discovered. A set of misbehaving agents may remain undetected 
from the observations of a node j if there exists a normal operating condition under which the node 
would receive the same information as under the perturbation due to the misbehavior. To be more precise, 
let Cj = [e ni . . . e np ] T , {n±, . . . ,n p } = Nj, denote the output matrix associated with the agent j, and 
let yj(t) = Cjx{f) denote the measurements vector of the j-th agent at time t. Let x(xo,u, t) denote 
the network state trajectory generated from the initial state x under the input sequence u(t), and let 
yj(xo,u,t) be the sequence measured by the j-th node and corresponding to the same initial condition 
and input. 



2 lf the misbehaving input is not constant, then the network may not achieve consensus. In particular, the effect of a misbehaving input 



UK 



on the network state at time t is given by X^t=o ^ t BkUk(t) (see also Section Vk. 



Definition 2 (Undetectable input) For a linear consensus system of the form Q, the input uxit) intro- 
duced by a set K of misbehaving agents is undetectable if 

3xi,x 2 eR n ,j G V : Vt GNjj^iiK.i) =y j (x 2i 0,t). 

A more general concern than detection is identifiability of intruders, i.e. the possibility to distinguish 
from measurements between the misbehaviors of two distinct agents, or, more generally, between two 
disjoint subsets of agents. Let /C C 2 V contain all possible sets of misbehaving agentsjj 

Definition 3 (Unidentifiable input) For a linear consensus system of the form ([4]) and a nonempty set 
K\ G /C, an input uk x (t) is unidentifiable if there exist K 2 G /C, with K\ ^ K 2 , and an input uk 2 {t) such 
that 

3x u x 2 E R n ,j G V-M G N,y j (x 1 ,u Kl ,t) = y j (x 2 ,u K2 ,t). 

Of course, an undetectable input is also unidentifiable, since it cannot be distinguished from the zero 
input. The converse does not hold. Unidentifiable inputs are a very specific class of inputs, to be precisely 
characterized later in this section. Correspondingly, we define 

Definition 4 (Malicious behaviors) A set of misbehaving agents K is malicious if its input Ux{t) is 
unidentifiable. It is faulty otherwise. 

We provide now a characterization of malicious behaviors for the particularly important class of linear 
consensus networks. Notice however that, if the matrix A below is not restricted to be a consensus matrix, 
then the following Theorem extends the results in [ fT2l by fully characterizing the inputs for which a group 
of misbehaving agents remains unidentified from the output observations of a certain node. 

Theorem IV. 1 (Characterization of malicious behaviors) For a linear consensus system of the form 
d4|) and a nonempty set K\ G )C, an input Uk x (t) is unidentifiable if and only if 



CjA t+1 x = Y, C i At ~ T ( b k,u Ki {t) - B K2 u K2 (r)) 



T=0 



for all t G M, and for some Uk 2 (t), with K 2 G K,, K\ ^ K 2 , and x G W 1 . If the same holds with 
v,K 2 (t) = 0, the input is actually undetectable. 

Proof: By definitions [5] and [3j an input UK x {t) is unidentifiable if yj(xi,UK 1 ,t) = yj(x 2 ,UK 2 ,t), 
and it is undetectable if yj(x\, uk x , t) = yj(x 2 ,0,t), for some X\, x 2 , and UK 2 {t). Due to linearity of the 
network, the statement follows. ■ 

Remark 1 (Malicious behaviors are not generic) Because an unidentifiable input must satisfy the equa- 
tion in Theorem IV.1[ excluding pathological cases, unidentifiable signals are not generic, and they can be 
injected only intentionally by colluding misbehaving agents. This motivates our definition of "malicious" 
for those agents which use unidentifiable inputs. □ 

We consider now the resilience of a consensus network to faulty and malicious misbehaviors. Let I 
denote the identity matrix of appropriate dimensions. The zero dynamics of the linear system (A, B K , Cj) 
are the (nontrivial) state trajectories invisible at the output, and can be characterized by means of the 

(n + p) x (n + \K\) pencil 

zI-A B 



K 

C 3 



P(z) 

3 An element of K, is a subset of {1, . . . , n}. For instance, K, may contain all the subsets of {1, . . . , n} with a specific cardinality. 



The complex value z is said to be an invariant zero of the system (A, Bk, Cj) if there exists a state-zero 
direction Xq, xq ^ 0, and an input-zero direction g, such that (zl — A)x + Bxg = 0, and CjXq = 0. 
Also, if rank(P(z)) = n + \K\ for all but finitely many complex values z, then the system (A, B K ,Cj) 
is left-invertible, i.e., starting from any initial condition, there are no two distinct inputs that give rise 
to the same output sequence lEOll . We next characterize the relationship between the zero dynamics of a 
consensus system and the connectivity of the consensus graph. 

Lemma IV.l (Zero dynamics and connectivity) Given a k-connected linear network with matrix A, 
there exists a set of agents K\, with \K^\ > k, and a node j such that the consensus system (A, Bk ± , Cj) 
is not left-invertible. Furthermore, there exists a set of agents K 2 , with \K 2 \ = k, and a node j such that 
the system (A,Bk 2 ,Cj) has nontrivial zero dynamics. 

Proof: Let G be the digraph associated with A, and let k be the connectivity of G. Take a set K of 
k + 1 misbehaving nodes, such that k of them form a vertex cut S of G. Note that, since the connectivity 
of G is k, such a set always exists. The network G is divided into two subnetworks G\ and G 3 , which 
communicate only through the nodes S. Assume that the misbehaving agent K\S belongs to G 3 , while 
the observing node j belongs to G\. After reordering the nodes such that the vertices of G\ come first, 
the vertices S come second, and the vertices of G 3 come third, the consensus matrix A is of the form 

a 2 i A22 a 23 , where the zero matrices are due to the fact that S is a vertex cut. Let Us(t) = — A 23 x 3 (t), 
- a 32 A33 J 
where x 3 is the vector containing the values of the nodes of G 3 , and let UK\s{t) be any arbitrary nonzero 

function. Clearly, starting from the zero state, the values of the nodes of G\ are constantly 0, while the 

subnetwork G 3 is driven by the misbehaving agent K \ S. We conclude that the triple (A, Bk, Cj) is not 

left-invertible. 

Suppose now that K = S as previously defined, and let Uxit) = — ^23^3 (^)- Let the initial condition 

of the nodes of G\ and of S be zero. Since every state trajectory generated by x 3 7^ does not appear in 

the output of the agent j, the triple (A, Bk, Cj) has nontrivial zero dynamics. ■ 



Following Lemma IV.l we next state an upper bound on the number of misbehaving agents that can 
be detected. 

Theorem IV.2 (Detection bound) Given a k-connected linear consensus network, there exist undetectable 
inputs for a specific set of k misbehaving agents. 

Proof: Let K , with \K\ = k, be the misbehaving set, and let K form a vertex cut of the consensus 
network. Because of Lemma |IV.1| for some output matrix Cj, the consensus system has nontrivial zero 



dynamics, i.e., there exists an initial condition x(0) and an input UK(t) such that Vjif) = at all times. 
Hence, the input ux{t) is undetectable from the observations of j. ■ 

We now consider the identification problem. 

Theorem IV.3 (Identification of misbehaving agents) For a set of misbehaving agents K 1 e /C, every 
input is identifiable from j if and only if the consensus system (A, [Bk x Bk 2 ], Cj) has no zero dynamics 
for every K 2 G /C. 

Proof: (Only if) By contradiction, let x and [u K — u K2 \ T be a state-zero direction, and an input-zero 
sequence for the system (A, [B^ Bk 2 ], Cj). We have 

Vj (t) = = c/a'xo +Y,A t - T - 1 (B Kl u Kl (r) - B K2 u K2 (t))\ 

^ T = ' 

Therefore, 

Cj (a*x\ + J2 A'-^Bk.uk, (t)) = Cj (a*4 + J2 A t - T - 1 B K2 UK2 (r)) , 



t=0 ' v r=0 



where Xq — x$ = x . Clearly, since the output sequence generated by K\ coincide with the output sequence 
generated by K 2 , the two inputs are unidentifiable. 

(If) Suppose that, for any K 2 G /C, the system (A[B Kl B K2 \) has no zero dynamics, i.e., there exists no 
initial condition x and input [u J Ki ^xJ T that result in the output being zero at all times. By the linearity 
of the network, every input uk x is identifiable. ■ 



As a consequence of Theorem IV.3 if up to k misbehaving agents are allowed to act in the network, 
then a necessary and sufficient condition to correctly identify the set of misbehaving nodes is that the 
consensus system subject to any set of 2k inputs has no nontrivial zero dynamics. 

Theorem IV.4 (Identification bound) Given a k-connected linear consensus network, there exist uniden- 
tifiable inputs for a specific set of \j^\ + 1 misbehaving agents. 



Proof: Since 2([^ i J + 1) > k, by Lemma IV.l there exist K x , K 2 , with \K X \ = \K 2 \ = \Jjr-\ + 1, 



and j such that the system (A, \Bk x Bk 2 ], Cf) has nontrivial zero dynamics. By Theorem IV.3, there 



exists an input and an initial condition such that K\ is undistinguishable from K 2 to the agent j. ■ 

In other words, in a /c-connected network, at most k — 1 (resp. L^^J) misbehaving agents can be 

certainly detected (resp. identified) by every agent. Notice that, for a linear consensus network, Theorem 



IV.4 provides an alternative proof of the resilience bound presented in [10] and in [12J. 

We now focus on the faulty misbehavior case. Notice that, because such agents inject only identifiable 
inputs by definition, we only need to guarantee the existence of such inputs. We start by showing that, 
independent of the cardinality of a set K, there exist detectable inputs for a consensus system (A, B K , Cf), 
so that any set of faulty agents is detectable. By using a result from j|2T|, an input ux(t) is undetectable 
from the measurements of the j-th agent only if for all t G N, it holds CjA v B K u K [t) = CjA" +1 x(t), 
where CjA"Bk is the first nonzero Markov parameter, and x(t) is the network state at time t. Notice that, 
because of the irreducibility assumption of a consensus matrix, independently of the cardinality of the 
faulty set and of the observing node j, there exists a finite v such that CjA"B K ^ 0, so that every input 
uk^) 7^ (CjA v B K yCjA v+1 x(t) is detectable. We show that, if the number of misbehaving components 
is allowed to equal the connectivity of the consensus network, then there exists a set of misbehaving 
agents that are unidentifiable independent of their input. 

Theorem IV.5 (Identification of faulty agents) Given a k-connected linear consensus network, there 
exists no identifiable input for a specific set of k misbehaving agents 

Proof: Let K\, with \K\\ = k, form a vertex cut. The network is divided into two subnetworks G\ 
and G 2 by the agents K\. Let K 2 , with \K 2 \ < k, be the set of faulty agents, and suppose that the set K 2 
belongs to the subnetwork G 2 . Let j be an agent of G\. Notice that, because K\ forms a vertex cut, for 
every initial condition x(0) and for every input uk-JJ), there exists an input UK^it) such that the output 
sequences at the node j coincide. In other words, every input uk 2 (t) is unidentifiable. ■ 

Hence, in a A;-connected network, a set of k faulty agents may remain unidentified independent of its 



input function. It should be noticed that Theorems IV.4 and IV.5 only give an upper bound on the maximum 



number of concurrent misbehaving agents that can be detected and identified. In Section VI it will be 
shown that, generically, in a A;-connected network, there exists only identifiable inputs for any set of [^^J 
misbehaving agents, and that there exist some identifiable inputs for any set of k — 1 misbehaving agents. 
In other words, if there exists a set of misbehaving nodes that cannot be identified by an agent, then, 
provided that the connectivity of the communication graph is sufficiently high, a random and arbitrarily 
small change of the consensus matrix makes the misbehaving nodes detectable and identifiable with 
probability one. 

V Effects of unidentified misbehaving agents 

In the previous section, the importance of zero dynamics in the misbehavior detection and identification 
problem has been shown. In particular, we proved that a misbehaving agent may alter the nominal network 



behavior while remaining undetected by injecting an input-zero associated with the current network state. 
We now study the effect of an unidentifiable attack on the final consensus value. As a preliminary result, 
we prove the detectability of a consensus network. 

Lemma V.l (Detectability) Let the matrix A be row stochastic and irreducible. For any network node 
j, the pair (A,Cj) is detectable. 

Proof: If A is stochastic and irreducible, then it has at least h > 1 eigenvalues of unitary modulus. 
Precisely, the spectrum of A contains {1 = e l9 °,e ldl , . . . ,e t9h - 1 }. By Wielandt's theorem [19], we have 
AD k = e t9k D k A, where k e {0, . . . , h — 1}, and D k is a full rank diagonal matrix. By multiplying both 
sides of the equality by the vector of all ones, we have AD k \ = e l9k D k A\ = e l9k D k \, so that D k \ is the 
eigenvector associated with the eigenvalue e l9k . Observe that the vector D k \ has no zero component, and 
that, by the eigenvector test ll2"0ll . the pair (A, Cj) is detectable. Indeed, since A is irreducible, the neighbor 
set Nj is nonempty, and the eigenvector D k \, with k 6 {0, . . . , h — 1}, is not contained in Ker(Cj). ■ 



Observe that the primitivity of the network matrix is not assumed Lemma V.l By duality, a result on 
the stabilizability of the pair (A, Bj) can also be asserted. 

Lemma V.2 (Stabilizability) Let the matrix A be row stochastic and irreducible. For any network node 
j, the pair (A,Bj) is stabilizable. 

Remark 2 (State estimation via local computation) If a linear system is detectable (resp. stabilizable), 
then a linear observer (resp. controller) exists to asymptotically estimate (resp. stabilize) the system state. 
By combining the above results with Lemma |III1[ we have that, under a mild assumption on the matrix 
A, the state of a linear network can be asymptotically observed (resp. stabilized) via local computation. 
Consider for instance the problem of designing an observer [131 , and let Cj = ej . Take G = —Aj, where 
Aj denotes the j-th column of A. Notice that the matrix A + GCj can be written as a block- triangular 



matrix, and it is stable because of Lemma III. 1 Finally, since the nonzero entries of G correspond to the 
out-neighborsn of the node j, the output injection operation GCj only requires local information. □ 

A class of undetectable attacks is now presented. Notice that misbehaving agents can arbitrarily change 
their initial state without being detected during the consensus iterations, and, by doing so, misbehaving 
components can cause at most a constant error on the final consensus value. Indeed, let A be a consensus 
matrix, and let K be the set of misbehaving agents. Let x(0) be the network initial state, and suppose that 
the agents K alter their initial value, so that the network initial state becomes x(0) +B K c, where c G IR' A L 
Recall from [19] that lim^oo A 1 = 1%, where 1 is the vector of all ones, and n is such that nA = it. 
Therefore , the effect of the misbehaving set K on the final consensus state is IttBkc. Clearly, if the vector 
x(Q) + Bkc is a valid initial state, the misbehaving agents cannot be detected. On the other hand, since 
it is possible for uncompromised nodes to estimate the observable part of the initial state of the whole 
network, if an acceptability region (or an a priori probability distribution) is available on initial states, 
then, by analyzing the reconstructed state, a form of intrusion detection can be applied, e.g., see [|22|. We 
conclude this paragraph by showing that, if the misbehaving vector Bkc belongs to the unobservability 
subspace of (A, Cj), for some j, then the misbehaving agents do not alter the final consensus value. Let v 
be an eigenvector associated with the unobservable eigenvalue z, i.e., (zl— A)v = and CjV = 0. We have 



7r(zl — A)v = (z — l)nv = 0, and, because of the detectability of (A, Cj), \z\ < 1 (cf. Lemma V.l ). Hence 
tcv = 0. Therefore, if the attack B^c is unobservable from any agent, then lim^oo A 1 Bkc = ItvBkc = 0, 
so that the change of the initial states of misbehaving agents does not affect the final consensus value. 

A different class of unidentifiable attacks consists of injecting a signal corresponding to an input-zero 
for the current network state. We start by characterizing the potential disruption caused by misbehaving 

4 The agent i is an out-neighbor of j if the (i, j)-th entry of A is nonzero, or, equfvalently, if (j,i) belongs to the edge set. 
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Fig. 1. In Fig. 1(a) The agents {1,2} are misbehaving. The consensus system (A,B{i 7 2},Cs) has unstable zeros. In Fig. 1(b) the agents 
{1,2} are misbehaving. The consensus system (A, B{ 12 }, Ce) is not left-invertible. 



nodes that introduce nonzero, but exponentially vanishing inputsjj 

Lemma V.3 (Exponentially stable input) Let A be a consensus matrix, and let K be a set of agents. 

Let u : N i— \ W K \ be exponentially decaying. There exists z E (0, 1) and u E M' K ' such that 

t 
lim y^A t - T B K u(r) ■< (1 - zY l lnB K u, 

'-inn < * 



t— >oo 



T=0 



where -< denotes component-wise inequality, 1 is the vector of all ones of appropriate dimension, and n 
is such that ttA = n. 



Proof: Let z E (0, 1) and ^ u E M} K \ be such that u(k) ^ z k u . Then, since A is a non- 
negative matrix, for all t, r E N, with t > r, we have A l ~ T Bku{t) ■< A t ~ T BKZ T u , and hence 
lim^oo Y? T =o At ~ TB Ku{T) ■< lim^oo Y? T=0 A t ~' r B K z T Uo. Notice that (1 - z)' 1 = lim^oo Y! T ^z T . We 



now show that lim^oo J2 T =o z T (\n — A l ~ T ) = lim^oo J2 T =o E{t, T ) d 0, from which the theorem follows. 
Let e(t, t) be any component of E(t, r). Because lim^oo 
such that e(t,r) < cz T p t ~ T . We have 



A 1 = In, there exist c and p, with \z\ < \p\ < 1, 



lim > 

l -ino ^ — ' 



t— >oo 



cz p 



lim cp l Y^ z T p T = 0, 



t— iOO 



so that J2 T =oE(t,T) converges to zero as t approaches infinity. ■ 

Following Lemma V.3 if the zero dynamics are exponentially stable, then misbehaving agents can 
affect the final consensus value by a constant amount without being detected, if and only if they inject 
vanishing inputs along input-zero directions. If an admissible region is known for the network state, then 
a tight bound on the effect of misbehaving agents injecting vanishing inputs can be provided. Notice 
moreover that, in this situation, a well-behaving agent is able to detect misbehaving agents whose state 
is outside an admissible region by simply analyzing its state. Finally, for certain consensus networks, the 
effect of an exponentially stable input decreases to zero with the cardinality of the network. Indeed, let 
n = n/n, where n is a constant row vector and n denotes the cardinality of the network. For instance, 
if A is doubly stochastic, then n = 1 T /n [fT9l . Then, when n grows, the effect of the input u(t) = z l u, 
with \z\ < 1, on the consensus value becomes negligible. 

The left-invertibility and the stability of the zero dynamics are not an inherent property of a consensus 
system. Consider for instance the graph of Fig. 1(a) where the agents {1, 2} are malicious. If the network 
matrices are 

5 An output-zeroing input can always be written as u(k) - -{CA v B)' i CA" +1 {K v A) k x{Q) - 

{CA V B)^CA V+1 (YJiZq (KvA)*- 1 -' Bu h (l)\ + U h (h), where v € N, (CA V B) is the first nonzero Markov parameter, 

K v — I — B{CA V B)^CA 1 ' is a projection matrix, x(0) G DT^o Ker(CVl ! ) is the system initial state, and Uh(k) is such that 
CA v Bu h (k) = (2D. 
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then the system (A, -£>{i,2}, C3) is left-invertible, but the invariant zeros are {0, +2, —2}. Hence, for some 
initial conditions, there exist non vanishing input sequences that do not appear in the output. Moreover, 



for the graph in Fig. 1(b) , let the network matrices be 
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It can be verified that the system (A,Bu 2 },Cq) is not left-invertible. Indeed, for zero initial conditions, 
any input of the form u\ = —u 2 does not appear in the output sequence of the agent 6. In some cases, 
the left-invertibility of a consensus system can be asserted independently of the consensus matrix. 

Theorem V.l (Left-invertibility, single intruder case) Let A be a consensus matrix, and let B, t = e iy 

Cj = ej. Then the system (A, Bi, Cj) is left-invertible. 

Proof: Suppose, by contradiction, that (A, Bi, Cj) is not left-invertible. Then there exist state trajec- 
tories that, starting from the origin, are invisible to the output. In other words, since the input is a scalar, 
the Markov parameters CjA t B i have to be zero for all t. Notice the (i, k)-th component of A 1 is nonzero 
if there exists a path of length t from i to k. Because A is irreducible, there exists t such that CjA t B i ^ 0, 
and therefore the consensus system is left-invertible. ■ 

one identifies the 



If in Theorem V.l 



z-th node with a single intruder, and the j-th node with an 
observer node, the theorem states that, for known initial conditions of the network, any two distinct inputs 
generated by a single intruder produce different outputs at all observing nodes, and hence can be detected. 
Consider for example a flocking application, in which the agent are supposed to agree on the velocity 
to be maintained during the execution of the task JT). Suppose that a linear consensus iteration is used 
to compute a common velocity vector, and suppose that the states of the agents are equal to each other. 
Then no single misbehaving agent can change the velocity of the team without being detected, because 
no zero dynamic can be generated by a single agent starting from a consensus state. 

We now consider the case in which several misbehaving agents are allowed to act simultaneously. The 
following result relating the position of the misbehaving agents in the network and the zero dynamics of 
a consensus system can be asserted. 

Theorem V.2 (Stability of zero dynamics) Let K be a set of agents and let j be a network node. The 

zero dynamics of the consensus system (A, Bk, Cj) are exponentially stable if one of the following is 

true: 

(i) the system (A, Bk, Cj) is left-invertible, and there are no edges from the nodes K to V\{NjUK}; 

(ii) the system (A,Bk,Cj) is left-invertible, and there are no edges from the nodes V \ {Nj U K} to 

Nf, or 
(iii) the sets K and Nj are such that K C Nj. 

Proof: Let z be an invariant zero, x and u a state-zero and input- zero direction, so that 

(zl - A)x + B K u = 0, and CjX = (6) 
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Fig. 2. The stability of the zero dynamics of a left-invertible consensus system can be asserted depending upon the location of the misbehaving 
agents in the network. Let j be the observer agent, and let K be the misbehaving set. Then, the zero dynamics are asymptotically st able i f 
the set Nj separates the sets K and V \ {N 3 U K} (cfr. Fig. |2(a)| >, or if the set K separates the sets Nj and V \ {Nj U A'} (cfr. Fig. |2(b)| , 
or if the set K is a subset of Nj (cfr. Fig.|2(c)|. 



Reorder the nodes such that the set K comes first, the set Nj \ K second, and the set V \ {K U Nj} third. 
The consensus matrix and the vector x are accordingly partitioned as 



A n 


A 12 


A 13 




Xi 


A 2 i 


A22 


A 23 


, x = 


x 2 


A 31 


A 32 


A33 




X3 



A 



and the input and output matrices become Bk = [I 0] T and Cj 
verified, it has to be x 2 = 0, zx\ = A n xi + A 13 x 3 — Uk, and 



/ 0]. For equations ([6]) to be 





ZX3 



A21 
A 31 



A 23 
A 33 



Xi 

x 3 



Case (i) Since there are no edges from the nodes K to V \ {Nj U K}, we have A 3 \ = 0, and hence it 
has to b(T(zI — A 33 )x 3 = 0, i.e., z needs to be an eigenvalue of A 33 . We now show that x 3 7^ 0. Suppose 
by contradiction that x 3 = 0, and that z is an invariant zero, with state-zero and input-zero direction 
x = [x^OO] 7 and % = (zl — A n )xi, respectively. Then, for all complex value z, the vectors x and 
uk = (zl — A 11 )x 1 constitute the state-zero and the input-zero direction associated with the invariant zero 
z. Because the system is assumed to be left-invertible, there can only be a finite number of invariant zeros 
EH . so that we conclude that x 3 7^ or that the system has no zero dynamics. Because z needs to be an 
eigenvalue of A 33 , and because of Lemma III. 1 we conclude that the zero dynamics are asymptotically 
stable. 

Case 



(ii) 



Since there are no edges from the nodes V \ {Nj U K} to Nj, we have A 23 = 0. We 
now show that Ker(A 2 i) = 0. Suppose by contradiction that 7^ x\ E Kerf^i). Consider the equation 
[zl — A 33 )x 3 = A 3 iX\, and notice that, because of Lemma III. 1 for all z with \z\ > 1, the matrix zl — A 33 
is invertible. Therefore, if \z\ > 1, the vector [(xi) T 0((zl — A 33 )~ 1 A 3 iXi) T ] T is a state-zero direction, 
with input-zero direction u K = —(zl — A u )x 1 + Ai 3 x 3 . The system would have an infinite number of 
invariant zeros, being therefore not left-invertible. We conclude that Ker(A 2 i) = 0. Consequently, we have 
x\ = and ( zl — A 33 )x 3 = 0, so that \z\ < 1. 

Case (in) Reorder the variables such that the nodes Nj come before V \Nj. For the existence of a 
zero dynamics, it needs to hold x\ = and (zl — A 2 2)x2 = 0. Hence, \z\ < 1. ■ 

We are left to study the case of a network with zeros outside the open unit disk, where intruders 
may inject non-vanishing inputs while remaining unidentified. For this situation, we only remark that a 
detection procedure based on an admissible region for the network state can be implemented to detect 
inputs evolving along unstable zero directions. 

VI. Generic detection and identification of misbehaving agents 

In the framework of traditional control theory, the entries of the matrices describing a dynamical 
system are assumed to be known without uncertainties. It is often the case, however, that such entries 
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only approximate the exact values. In order to capture this modeling uncertainty, structured systems have 
been introduced and studied, e.g., see [|23l . lfT6l . Il24l . Let a structure matrix [M] be a matrix in which 
each entry is either a fixed zero or an indeterminate parameter, and let the tuple of structure matrices 

([A], [B], [C], [D]) denote the structured system 

x(t+l) = [A]x(t) + [B]u(t), 

y(t) = [C]x(t) + \D}u(t). l 

A numerical system (A,B,C,D) is an admissible realization of ([A], [B], [C], [D]) if it can be obtained 
by fixing the indeterminate entries of the structure matrices at some particular value, and two systems 
are structurally equivalent if they are both an admissible realization of the same structured system. Let 
d be the number of indeterminate entries altogether. By collecting the indeterminate parameters into a 
vector, an admissible realization is mapped to a point in the Euclidean space R. d . A property which can 
be asserted on a dynamical system is called structural (or generic) if, informally, it holds for almost 
all admissible realizations. To be more precise, following Il24ll . we say that a property is structural (or 
generic) if and only if the set of admissible realizations satisfying such property forms a dense subset 
of the parameters spacejj Moreover, it can be shown that, if a property holds generically, then the set of 
parameters for which such property is not verified lies on an algebraic hypersurface of R. d , i.e., it has zero 
Lebesgue measure in the parameter space. For instance, left-invertibility of a dynamical system is known 
to be a structural property with respect to the parameters space R. d . 

Let the connectivity of a structured system ([A], [B], [C]) be the connectivity of the graph defined by its 
nonzero parameters. In what follows, we assume [D] = 0, and we study the zero dynamics of a structured 
consensus system as a function of its connectivity. Let the generic rank of a structure matrix [M] be the 
maximal rank over all possible numerical realizations of [M], 

Lemma VI.l (Generic zero dynamics and connectivity) Let ([A], [B], [C]) be a k-connected structured 
system. If the generic rank of [B] is less than k, then almost every numerical realization of ([A], [B], [C]) 
has no zero dynamics. 

Proof: Since the system ([A], [B], [C]) is fc-connected and the generic rank r of [B] is less than 
k, there are r disjoint paths from the input to the output [25]. Then, from Theorem 4.3 in ||25ll . the 
system ([A], [B], [C]) is generically left-invertible. Additionally, by using Lemma 3 in |fT3l . it can be 
shown that ([A], [B], [C]) has generically no invariant zeros. We conclude that almost every realization of 
([A], [B], [C]) has no nontrivial zero dynamics. ■ 

Given a structured triple ([A], [B], [C]) with d nonzero elements, the set of parameters that make 
([A], [B], [C]) a consensus system is a subset S of R. d , because the matrix A needs to be row stochastic 
and primitive. A certain property that holds generically in R. d needs not be valid generically with respect 
to the feasible set S. Let ([A], [B], [C]) be structure matrices, and let 5 C l d be the set of parameters 
that make ([A], [B], [C]) a consensus system. We next show that the left-invertibility and the number of 
invariant zeros are generic properties with respect to the parameter space S. 

Theorem VI. 1 (Genericity of consensus systems) Let ([A], [B], [C]) be a k-connected structured sys- 
tem. If the generic rank of [B] is less than k, then almost every consensus realization of ([A], [B], [C]) 
has no zero dynamics. 

Proof: Let d be the number of nonzero entries of the structured system ([A], [B], [C]). From Theorem 

VI.l we know that, generically with respect to the parameter space IR d , a numerical realization of 



([A], [B], [C]) has no zero dynamics. Let S C W 1 be the subset of parameters that makes ([A], [B], [C]) a 
consensus system. We want to show that the absence of zero dynamics is a generic property with respect 
to the parameter space S. Observe that S is dense in R. d , where d < d — n and n is the dimension of 

6 A subset S C P C R d is dense in P if, for each r g P and every e > 0, there exists s g S such that the Euclidean distance \\s — r\\ < e. 
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[A]. Then ll26l . [|27ll . it can be shown that, in order to prove that our property is generic with respect 
to S, it is sufficient to show that there exist some consensus systems which have no zero dynamics. To 
construct a consensus system with no zero dynamics consider the following procedure. Let (A, B, C) be 
a nonnegative and irreducible linear system with no zero dynamics, where the number of inputs is strictly 
less that the connectivity of the associated graph. Notice that, following the above discussion, such system 
can always be found. The Perron-Frobenius Theorem for nonnegative matrices ensures the existence of 
a positive eigenvector x of A associated with the eigenvalue of largest magnitude r lfl9l . Let D be the 
diagonal matrix whose main diagonal equals x, then the matrix r _1 D^ 1 AD is a consensus matrix [28|. 
A change of coordinates of (A,B,C) using D yields the system (D~ 1 AD,D~ 1 B,CD), which has no 
zero dynamics. Finally, the system (r~ 1 D~ 1 AD, D^ 1 B,CD) is a ^-connected consensus system with, 
generically, no zero dynamics. Indeed, if there exists a value z, a state-zero direction xo, and an input-zero 
direction g for the system (r _1 D^ 1 AD , D~ 1 B, CD), then the value zr, with state direction xq/t and input 
direction g, is an invariant zero of (D~ 1 AD, D~ 1 B,CD), which contradicts the hypothesis. ■ 

Because a sufficiently connected consensus system has generically no zero dynamics, the following 
remarks about the robustness of a generic property should be considered. First, generic means open, 
i.e. some appropriately small perturbations of the matrices of the system having a generic property do not 
destroy this property. Second, generic implies dense, hence any consensus system which does not have a 
generic property can be changed into a system having this property just by arbitrarily small perturbations. 
We are now able to state our generic resilience results for consensus networks. 

Theorem VI.2 (Generic identification of misbehaving agents) Given a k-connected consensus network, 
generically, there exist only identifiable inputs for any set of [^^\ misbehaving agents. Moreover, 
generically, there exist identifiable inputs for every set of k — 1 misbehaving agents. 



Proof: Since 2 L^y^J < k, b y Lem ma VI. 1 the consensus system with any set of 2 [^^J has generically 
no zero dynamics. By Theorem IV.3, any set of L^y^J malicious agents is detectable and identifiable by 
every node in the network. We now consider the case of faulty agents. Let V be the set of nodes, and 
Ki,K 2 C V, with | .Ki| = \K 2 \ = k — 1, be two disjoint sets of faulty agents. Let j E V. We need to 
show the existence of identifiable, i.e., faulty, inputs. By using a result of 11251 on the generic rank of the 
matrix pencil of a structured system, since the given consensus network is fc-connected and |.Ki| = k — 1, 
it can be shown that the system (A, [B Kl Bi],Cj), for all i E K 2 , is left-invertible, which confirms the 
existence of identifiable inputs for the current network state. By Definition |4[ we conclude that the faulty 
set K\ is generically identifiable by any well-behaving agent. ■ 

In other words, in a fc-connected network, up to [^^J (resp. k — 1) malicious (resp. faulty) agents are 
generically identifiable by every well behaving agent. Analogously, it can be shown that generically up 
to k — 1 misbehaving agents are generically detectable. In the next section, we describe three algorithms 
to detect and identify misbehaving agents. 

VII. Intrusion detection algorithms 

In this section we present three decentralized algorithms to detect and identify misbehaving agents in 
a consensus network. Although the first two algorithms require only local measurements, the complete 
knowledge of the consensus network is necessary for the implementation. The third algorithm, instead, 
requires the agents to know only a certain neighborhood of the consensus graph, and it allows for a local 
identification of misbehaving agents. As it will be clear in the sequel, the third algorithm overcomes, 
under a reasonable set of assumptions, the limitations inherent to centralized detection and identification 
procedures. 

Our first algorithm is based upon the following result. 

Theorem VII.l (Detection filter) Let K be the set of misbehaving agents. Assume that the zero dynamics 
of the consensus system (A, B K , Cj) are exponentially stable, for some j. Let A N . denote the Nj columns 
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of the matrix A. The filter 

z(t + l) = (A + GC j )z(t)-GC J x(t), 
x(t) = Lz(t) + HC j x(t), 

with G = —A^, H = Cj, and L = I — HCj, is such that, in the limit for t — > oo, the vector 
x(t + 1) — Ax(t) is nonzero only if the input n^(t) is nonzero. Moreover, if K C Nj, then the filter ([8]) 
asymptotically estimates the state of the network, independent of the behavior of the misbehaving agents 
K. 

Proof: Let G = —A N ., and consider the estimation error e(t + 1) = z(t + 1) — x(t + 1) = (A + 
GCj)e(t) - B K u K {t). Notice that Le(t) = Lz(t) + CjCjx(t) - x{t), and hence x(t) = x{t) + Le(t). 
Consequently, x(t + 1) — Ax(t) = BkUk^) + Le(t + 1) — ALe(t). By using Lemma III.1| it is a 



straightforward matter to show that (A + GCfj is Schur stable. If UK(t) = 0, then x(t + 1) — Ax(t) 
converges to zero. Suppose now that K C Nj. The reachable set of e, i.e., the minimum (A+GCj) invariant 
containing Bk, coincides with Bk- Indeed (A + GCj)Bk = 0- Since Bk ^ Ker(L) by construction, the 
vectors Le(t) and x(t) — x(t) converge to zero. ■ 

By means of the filter described in the above theorem, a distributed intrusion detection procedure 
can be designed, see |fIT| . Here, each well-behaving agent only implements one detection filter, making 
the asymptotic detection task computationally easy to be accomplished. We remark that, since the filter 
converges exponentially, an exponentially decaying input of appropriate size may remain undetected (see 



Lemma V.3 for a characterization of the effect of exponentially vanishing inputs on the final consensus 
value). For a finite time detection of misbehaving agents, and for the identification of misbehaving 
components, a more sophisticated algorithm is presented in Algorithm [T] 

Theorem VII.2 (Complete identification) Let A be a consensus matrix, let K be the set of misbehaving 
agents, and let c be the connectivity of the consensus network. Assume that: 
(i) every agent knows the matrix A and k > \K\, and 
(ii) k < c, if the set K is faulty, and 2k < c if the set K is malicious. 
Then the Complete Identification algorithm allows each well-behaving agent to genetically detect and 
identify every misbehaving agent in finite time. 

Proof: We focus on agent j. Let k = \K\, and let /C be the set containing all the (£7]} combinations 
of k + 1 elements of V \ {j}. For each set K 6 /C, consider the system S^ = (A, B^, Cj), and computed 
a set of residual generator filters for E^-. If the connectivity of the communication graph is sufficiently 
high, then, generically, each residual function is nonzero if and only if the corresponding input is nonzero. 
Let K be the set of misbehaving nodes, then, whenever K C K, the residual function associated with the 
input K\K becomes zero after an initial transient, so that the agent K\K is recognized as well-behaving. 
By exclusion, because the residuals associated with the misbehaving agents are always nonzero, the set 
K is identified. ■ 

By means of the Complete Identification algorithm, the detection and the identification of the misbehav- 
ing agents take place in finite time, because the residual generators can be designed as dead-beat filters, and 
independent of the misbehaving input. It should be noticed that, although no communication overhead is 
introduced in the consensus protocol, the Complete Identification procedure relies on strong assumptions. 
First, each agent needs to know the entire graph topology, and second, the number of residual generators 
that each node needs to design is proportional to ( n fc 1 ). Because an agent needs to update these filters 
after each communication round, when the cardinality of the network grows, the computational burden 
may overcome the capabilities of the agents, making this procedure inapplicable. 

7 We refer the interested reader to 1171 for a design procedure of a dead beat residual generator. Notice that the possibility of detecting 
and identifying the misbehaving agents is, as discussed in Section [TV| and [VT] guaranteed by the absence of zero dynamics in the consensus 
system. 
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Algorithm 1 Complete Identification (j-th agent) 



Input : A; k > \K\; 

Require : The connectivity of A to be k + 1, if K is faulty, and 2k + 1 otherwise; 

Compute the residual generators for every set of k + 1 misbehaving agents; 
while the misbehaving agents are unidentified do 

Exchange data with the neighbors; 

Update the state; 

Evaluate the residual functions; 

if every i^ residual is nonzero then 
| Agent i is recognized as misbehaving. 



In the remaining part of this section, we present a computationally efficient procedure that only assumes 
partial knowledge of the consensus network but yet allows for a local identification of the misbehaving 
agents. Let A be a consensus matrix, and observe that it can be written as Ad + eA, where || A||oo = 2, 
< e < 1, and A d is block diagonal with a consensus matrix on each of the N diagonal blocks. For 
instance, let A = [a k j], and let V±, . . . , Vn be the subsets of agents associated with the blocks. Then the 
matrix A d = [a k j] can be defined as 

(i) a kj = a kj if k ^ j, and k, j 6 V it i 6 {1, . . . , N}, 

(ii) a kk = 1 - J2jeyi,j^k a kv and 
(iii) a k j = otherwise. 

Moreover, A = 2(A-A d )/\\(A-A d )\\ oc , and e = ^\\A-A d \\oo- Note that, if £ is "small", then the agents 
belonging to different groups are weakly coupled. We assume the groups of weakly coupled agents to be 
given, and we leave the problem of finding such partitions as the subject of future research, for which 
the ideas presented in ll29~ll . [J30J constitute a very relevant result. 

We now focus on the h-th block. Let K = v U / be the set of misbehaving agents, where v — 14 H K, 
and I = K\v. Assume that the set v is identifiable by agent j E Vh (see Section IV). Then, agent j can 
identify the set v by means of a set of residual generators, each one designed to decouple a different set 
of \v\ + 1 inputs. To be more precise, let i £ Vh \ v, and consider the system 
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and the system 
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where the quadruple (F v , E v , M v , H v ) (resp. (Fi, E t , Mj, Hi)) describes a filter of the form (Q, and it is 
designed as in ifTTll . Then the misbehaving agents v are identifiable by agent j because v is the only set 
such that, for every i & T4 \ v, it holds r v ^ and n = whenever u v ^ 0. It should be noticed that, 
since Ad is block diagonal, the residual generators to identify the set v can be designed by only knowing 
the h-th. block of A d , and hence only a finite region of the original consensus network. By applying the 
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Algorithm 2 Local Identification (j-fh agent) 



Input : A h ; kj > \K nV h \; threshold T h 

Require : The connectivity of A 3 d to be kj + 1, if K is faulty, and 2kj + 1 otherwise; 

while the misbehaving agents are unidentified do 
Exchange data with the neighbors; 
Update the state; 
Evaluate the residual functions; 
if i t h residual is greater than T^ then 
| Agent % is recognized as misbehaving. 



residual generators to the consensus system Ad + eA with misbehaving agents K we get 

= A F 
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A d + eA 
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A d + eA 
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Because of the matrix A and the input ui(t), the residual rj(t) is generally nonzero even if Ui = 0. However, 
the misbehaving agents v remain identifiable by j if for each i e V^ \ v we have H^Hoo > H^Hoo for all 

Uy j£ 0. 

Theorem VII.3 (Local identification) Let V be the set of agents, let K be the set of misbehaving agents, 
and let A d + eA be a consensus matrix, where A d is block diagonal, HAH^ = 2, and < e < 1. Let 
each block h of Ad be a consensus matrix with agents Vh Q V, and with connectivity \ K n Vh \ + 1. There 
exists a > and w max > 0, such that, if each input signal Ui(t), i e K, takes value in U = {u : eau mSLX < 
\\u\\oo < w max }J^ then each well-behaving agent j E Vh identifies infinite time the faulty agents K fl 14 
by means of the Local Identification algorithm. 

Proof: We focus on the agent j e Vh, and, without loss of generality, we assume that uk(0) ^ 0, and 
that the residual generators have a finite impulse response. Let dj = \\Vh\\, and note that dj time steps are 
sufficient for each agent j E Vh to identify the misbehaving agents. Let u l denote the input sequence up to 
time t. Let v = K nV h , I = K\v, and observe that f v (dj ) = [h v c 3 m v ] A £ ^ v x(0) + h v *Uy~ +hi*u l J ~ , 
where h v and hi denote the impulse response from u v and ui respectively, and * denotes the convolution 
operator. We now determine an upper bound for each term of f v (dj). Let the misbehaving inputs take 



The norm ||u||oo is intended in the vector sense at every instant of time. The misbehaving input is here assumed to be nonzero at every 
instant of time. 
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value in U = {u : eau max < ||w||oo < u max }. By using the triangle inequality on the impulse responses 
of the residual generator, it can be shown that \\hi * u^ W^ < \\hi * u^ ||oo + sciu max = eciu max , 
where hi denotes the impulse response form Ui to r v of the system (|9]), and c\ is a finite positive constant 
independent of e. Moreover, it can be shown that there exist two positive constant C2 and C3 such that 
|| [h v Cj M v \ Ae^^lloo < ec 2 u max , and mm Uve u \\h v * u v j ~ |U > min Ut , eW \\h v * u v 3 ~ \\^ - ec 3 u max . 
Analogously, for the residual generator associated with the well-behaving agent i, we have fi(dj) = 

+ hi * u^ , and hence fi{dj) < e{c± + eg' + Cg )u max . Let c = c\ + 

C2 + c 3 + max ieVh \ v {c^' + C5 + 4 ), and let /3 be such that min Uj;eW ||/i.„ * w„ J_ ||oo > /3w m i n . Then a 
correct identification of the misbehaving agents v takes place if /Sitmin = /3£cra max > £cu max , and hence if 
a > c//3. M 



' H>Cj M>] Af^O) + h v * U d v r 



Notice that the constant a in Theorem VII.3 can be computed by bounding the infinity norm of the 



impulse response of the residual generators. An example is in Section VIII-B A procedure to achieve 
local detection and identification of misbehaving agents is in Algorithm |2J where A 1 ^ denotes the h-th. 
block of Ad, and Th the corresponding threshold value. Observe that in the Local Identification procedure 
an agent only performs local computation, and it is assumed to have only local knowledge of the network 
structure. 



Remark 3 It is a nontrivial fact that the misbehaving agents become locally identifiable depending on 
the magnitude of e. Indeed, as long as e > 0, the effect of the perturbation eA on the residuals becomes 
eventually relevant and prevents, after a certain time, a correct identification of the misbehaviors ll29ll . □ 



VIII. Numerical examples 
A. Complete detection and identification 

Consider the network of Fig. 3(a)[ and let A be a randomly chosen consensus matrix. In particular, let 



.4 



0.2795 0.1628 0.1512 0.4066 

0.0143 0.3363 0.3469 0.3025 
0.0718 0.1904 0.2438 0.4941 
0.0844 0.4457 0.0660 0.4040 

0.1709 0.2694 0.2472 0.3125 

0.4199 0.1575 0.3293 0.0932 

0.0174 0.4241 0.2850 0.2735 
0.3024 0.2039 0.2065 0.2873 



The network is 3-connected, and it can be verified that for any set K of 3 misbehaving agents, and for any 
observer node j, the triple (A, B K , Cj) is left-invertible. Also, for any set K of cardinality 2, and for any 
node j, the triple (A, B K , Cj) has no invariant zeros. As previously discussed, any well-behaving node can 
detect and identify up to 2 faulty agents, or up to 1 malicious agent. Consider the observations of the agent 
1, and suppose that the agents {3, 7} inject a random signal into the network. As described in Algorithm 
[Tl the agent 1 designs the residual generator filters and computes the residual functions for each of the 
7g) possible sets of misbehaving nodes, and identify the well-behaving agents. Consider for example the 
system x(t + 1) = Ax(t) + B 3 u^(t) + B A u^(t) + B 7 u 7 (t), and suppose we want to design a filter of the 
form §2§ which is only sensible to the signal u±. The unobservability subspace Sf£ 7 \ = (V/ 37 | +<S| 37 -i), 
is 
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and a possible choice for the matrices of the residual generator is 
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0.0014 -0.3222 -0.3424 
.-0.0013 0.3031 0.3222 

-10 1 

0.9999 0.0128 J ' 



E 



and H 



0.2795 0.1628 0.1512 0.4066 
0.0138 0.4982 -0.2280 0.2003 
0.0082 -0.6095 0.3012 -0.1568 

[10 1 

LO -0.7491 0.5832 -0.3142 J • 
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Fig. 3. In Fig. |3(a)| a consensus network where the nodes 3 and 7 are faulty. In Fig. |3(b)| the residual functions computed by the agent 1 
under the hypothesis that the misbehaving set is {3, 4, 7}. 



It can be checked that, independent of the initial condition of the network, the residual function associated 



with the input 4 is zero, as in 3(b), so that the agent 4 is regarded as well-behaving. Agents 3, 7, instead, 
have always nonzero residual functions, and are recognized as misbehaving. If the misbehaving nodes 
are allow ed to be malicious, then no more than 1 misbehaving node can be tolerated. Indeed, because of 
Theorem IV. 1, there exists a set K of 4 misbehaving agents such that the system (A, B^,Ci) exhibits 
nontrivial zero dynamics. For instance, let K = {2,4,6,8}, and note that if the initial condition x(0) 
belongs to 



V* = Im 
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then the input Ux(t) = Fi,x(t)£j where 



-0.3469 -0.1860 
-0.4457 0.1966 
-0.1063 
0.0636 



0.1472 
-0.1555 
-0.1148 0.0841 
-0.1894 -0.0503 



is such that yi(t) = for all t > 0. Therefore, the two systems (A, -B{ 2 ,4}, Ci) and (A, B^ 6>8 y,Ci) 
initial conditions Xi(0) and £2(0) = x 1 (0) — x(0), and inputs 



with 



■° 010 1 ]F b (x 2 (t)-x 1 (t)), 



«{2,4}(*) = [0100] F b (xi(t) - X 2 (t)), U{6,8}0) - L0 

have exactly the same output dynamics, so that the two sets {2,4} and {6,8} are indistinguishable by 
the agent 1. 



B. Local detection and identification 



Consider the consensus network in Fig. 4(a) where A 



A, 
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= A d + eA,eeR,0<e<l, and 
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00 10-100 




00 00000 




00 00000 




00 1000-1 





The malicious agents need to know the entire state to implement this feedback law. The case in which only local feedback is allowed is 
left as a direction for future research, for which the result in 1121 is meaningful. 
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Fig. 4. In Fig. |4(a)| a consensus network with weak connections. In Fig. |4(b)| the solid line corresponds to the largest magnitude of the 
residual associated with the well-behaving agent 3, while the dashed line denotes the smallest magnitude of the residual associated with the 
misbehaving agent 2, both as a function of the parameter e. If e < e*, then there exists a threshold that allows to identify the misbehaving 
agent 2. 



Let K = {2,7} be the set of misbehaving agents, let 0.1 < u 2 (t),u 7 (t) < 3 at each time t, and 
let IKO)!!^ < 1. Consider the agent 1, and let (F 2 , E 2 , M 2 , H 2 ) and (F 3 , E 3 , M 3 , H 3 ) be the residual 
generators as in ([9]) and ( fTO] ), respectively, where 



and 



-1/3 -1/3 
1/3 1/3 



-1/3 1/3 
-1/3 1/3 



Eo 



E* 



-2/3 -1/3 
2/3 1/3 



-2/3 -1/3 
-2/3 -1/3 



Mo 



:s-°i], 



Ho 



M s 



-101 

lJ ' 



H* 



10 01 
.0 1 oJ > 



-1 01 

lJ 



Let h 2 (resp. h?) be the impulse response from the input u 2 (resp. w 7 ) to f 3 , and let u\ (resp. u\) denote 
the input signal u 2 (resp. u 7 ) up to time 1. Note that the misbehaving agent can be identified after 2 time 
steps, and that the residual associated with the agent 3 is 



" A d +eA I 2 
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f 3 (2) = [H 3 Ci M 3 ] [ 

where * denotes the convolution operator. After some computation we obtain 

f 3 (2) = e[H 3 Ci M 3 

and, analogously, 

f 2 (2) = e[H 2 Ci m 2 
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Recall that the agent 1 is able to identify the misbehaving agent 2 if, independent of u\ and ii^, there exists 
a threshold T such that ||^2jlle» > T, and 1^3(2)11^ < T. The behavior of ||f 2 (2)|| 00 and ||f 3 (2)|| 00 as 
a function of e is in Fig. |4(b)[ Note that for e = e* = 0.026 we have ||^ 2 (2) Hoo = ||r 3 (2)|| 00 = 0.07. For 
instance, if e — 0.01, then it can be verified that ||f2(2)|| 00 > 0.1, and ||r : 3(2)|| 00 < 0.05. It follows that a 
threshold T = 0.1 allows the agent 1 to identify the misbehaving agent 2. On the other hand, if e — 0.03, 
then 1 1 7*2(2) ||oo > 0.01, and ||r 3 (2) Hoc < 0.12, so that the misbehaving agent 2 may remain unidentified. 



Indeed, if x(Q) 



111-1-1-1 



Uo 



»i 



[0.1 0.1], then \\r 2 



0.01 and f 3 



0.12, so 



that the agent 3 is recognized as misbehaving instead of the agent 2. 

As a final remark, note that the larger the consensus network, the more convenient the proposed 
approximation procedure becomes. For instance, consider the network presented in fl3T|, and here reported 



in Fig. 5(a) Such a clustered interconnection structure, in which the edges connecting different clusters 
have a small weight, may be preferable in many applications because much simpler and efficient protocols 
can be implemented within each cluster. Assume the presence of a misbehaving agent in each cluster, and 
consider the residuals computed after 5 steps of the consensus algorithm. Let e be the weight of the edges 



21 





0.005 0.01 0.015 0.02 0.025 0.03 0.035 0.04 0.045 0.05 



(a) 



(b) 



Fig. 5. In Fig. |5(a)| a consensus network partitioned into 3 areas. Each agent identifies the neighboring misbehaving agents by knowing 
only the topology of the subnetwork it belongs to. In Fig. |5(b)| the smallest magnitude of the residual associated with a misbehaving agent 
(dashed line) and the largest magnitude of the residual associated with a well-behaving agent (solid line) are plotted as a function of e. If s 
is sufficiently small, then local detection and identification is possible. 



connecting different clusters. Fig. 5(b) shows, as a function of e, the smallest magnitude of the residual 
associated with a misbehaving agent (dashed line) versus the largest magnitude of the residual associated 
with a well-behaving agent (solid line). If e is sufficiently small, then our local identification method 
allows each well-behaving agent to promptly detect and identify the misbehaving agents belonging to 
the same group, and hence to restore the functionality of the network. For instance, if e < 0.01, then, 
following Theorem VII. 3 if the misbehaving input take value in {u : 0.1 < |w| < 3}, then a misbehaving 



agent is correctly detected and identified by a well-behaving agent. 



IX. Conclusion 

The problem of distributed reliable computation in networks with misbehaving nodes is considered, 
and its relationship with the fault detection and isolation problem for linear systems is discussed. The 
resilience of linear consensus networks to external attacks is characterized through some properties of 
the underlying communication graph, as well as from a system-theoretic perspective. In almost any linear 
consensus network, the misbehaving components can be correctly detected and identified, as long as the 
connectivity of the communication graph is sufficiently high. Precisely, for a linear consensus network to 
be resilient to k concurrent faults, the connectivity of the communication graph needs to be 2k + 1, if 
Byzantine failures are allowed, and k + 1, otherwise. Finally, for the faulty agents case, good performance 
can be obtained even if the agents do not know the entire network topology, and they are subject to 
memory or computation constraints. 

Interesting aspects requiring further investigation include a characterization of the gain between the 
inputs of a set of misbehaving agents and the observations of an agent j. Depending on the magnitude of 
such gain, some undetectable behaviors may not be feasible for a set of misbehaving agents. The resilience 
properties of specific consensus protocols, e.g., those resulting from an optimization process, should also 
be studied. Finally, the clustering of a large network into smaller parts is crucial for the performance of 
the proposed local identification procedure, and it requires additional research. 
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